From:

http://lists.samba.org/archive/samba-technical/2006-March/046171.html

> as the MIT krb5's krb5_rd_req does an explicit close on the keytab when it
> was able to decrypt the ticket (but the ticket is not yet or no longer
> valid), we crash on calling krb5_ktfile_get_entry the next time as the
> krb5_keytab has become invalid. (to reproduce set your clock to a wrong
> time and use "use kerberos keytab = yes).

Although some versions of Samba have a workaround for this, it would
be wise to validate the file handle before deferencing it in kt_file.c.

See attached patch.

regards,

-- Luke